Ransomware attacks on healthcare are becoming disturbingly routine, and now, NailaoLocker has entered the fray. This new strain exploited a flaw to infiltrate European healthcare organizations. While its encryption method is solid, the malware lacks the sophistication of more advanced threats, relying on DLL sideloading and missing key evasion techniques.

Microsoft has patched two actively exploited vulnerabilities affecting Bing and Power Pages. The flaws allowed unauthorized code execution and privilege escalation, but details on the actual attacks remain scarce. Users are urged to patch up at the soonest.

Russian cyber-espionage groups are taking their spying operations straight into encrypted messaging apps. Signal users tied to military and government affairs in Ukraine are their latest targets, with one group tricking victims through malicious QR codes and another using a fake military app to lure them into phishing traps. Google warns that these tactics have also been aimed at Telegram and WhatsApp.

Top Malware Reported in the Last 24 Hours

NailaoLocker ransomware: New threat emerges

A new ransomware called NailaoLocker has been found in attacks on European healthcare organizations from June to October 2024. These attacks used a vulnerability in Check Point Security Gateway (CVE-2024-24919) to access networks and deploy ShadowPad and PlugX malware, linked to Chinese state-sponsored threat groups. NailaoLocker is considered basic because it doesn't shut down security processes and lacks advanced evasion techniques.The malware is delivered through DLL sideloading and encrypts files with the AES-256-CTR method.

New BlackLock RaaS on the rise

First observed in March 2024, BlackLock, also known as El Dorado, has quickly risen in the RaaS market. By the end of 2024, it became the 7th most active ransomware group on data leak sites, experiencing a 1,425% increase in activity from the previous quarter. BlackLock uses a double extortion method that encrypts data and steals sensitive information, threatening victims with public exposure. Its ransomware targets Windows, VMWare ESXi, and Linux systems. BlackLock's custom-built malware and unusual data-leak site give it a competitive edge in the ransomware landscape. 

SectopRAT mimics Chrome extension

SectopRAT, also known as Arechclient2, is an advanced RAT built with the .NET framework. It uses sophisticated obfuscation techniques, making it hard to detect. Recently, it was found disguised as a legitimate Google Chrome extension named Google Docs, improving its stealth and data theft capabilities. It employs a calli obfuscator that complicates analysis, concealing its main functions. Researchers found it can steal browser data, profile systems, target applications like VPNs and game launchers, and scan for cryptocurrency wallets. It communicates with its C2 server through encrypted channels on specific ports. The fake Google Chrome extension injects malicious scripts into web pages and captures sensitive information while pretending to enable offline editing for Google Docs. 

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft fixes bugs in Bing and Power Pages

Microsoft has released security updates for two critical vulnerabilities affecting Bing and Power Pages. CVE-2025-21355 (CVSS score: 8.6) allows unauthorized attackers to execute code on Microsoft Bing, while CVE-2025-24989 (CVSS score: 8.2) involves improper access control in Power Pages, allowing elevation of privileges. Microsoft has confirmed that the vulnerabilities have been exploited, but does not provide details on the attacks. 

Multiple flaws in Barebox bootloader

Barebox, a popular bootloader for embedded systems, has released version 2025.01.0 to fix critical vulnerabilities that could let attackers bypass secure boot and execute code. These vulnerabilities affect the bootloader's handling of SquashFS filesystems and memory allocation. The most serious concerns involve Barebox’s SquashFS support (CVE-2024-57260), which lacked important security patches from Linux, exposing it to known exploits. Additionally, two integer overflow vulnerabilities could lead to memory corruption, allowing attackers to take control of programs. 

FBI warns against Ghost ransomware activity

The Ghost ransomware group has been exploiting software and firmware vulnerabilities as recently as January, according to an alert from the FBI and CISA. This group, also known as Cring and operating from China, targets internet-facing services with unpatched issues. They have compromised organizations in over 70 countries, including China. Vulnerabilities include unpatched Fortinet appliances, Adobe ColdFusion servers, and exposed Microsoft Exchange servers. Victims have included critical infrastructure, schools, healthcare, and small businesses. Ghost typically spends only days on victim networks, using common hacking tools and malware.

Top Scams Reported in the Last 24 Hours

Amazon Prime phishing scam steals login info

Cofense has found a new phishing scam targeting Amazon Prime users to steal login details, security answers, and payment information. The scam uses a fake email that seems to come from Amazon, telling users to update their payment info due to an "expired" method. The email has a spoofed sender name, “Prime Notification,” but comes from a different domain. It creates a false urgency to make users click a fraudulent link that leads to a fake Amazon security page. Users should check the URL as it directs to Google Docs instead of Amazon. 

Russian groups target Signal

The threat actors UNC5792 and UNC4221 have been identified as two Russian cyber-espionage groups targeting Signal, focusing on individuals likely involved in sensitive military and government communications related to the war in Ukraine. Currently, this activity seems confined to persons of interest to Russia's intelligence services. UNC5792 uses malicious QR codes in invitations to Signal groups, while UNC4221 employs a phishing kit mimicking a military app to deceive users. Google also mentions that similar tactics have been directed at Telegram and WhatsApp, where Russian groups, including Star Blizzard, have targeted accounts of government officials. 

Phishing attack leverages invisible Unicode trick

A new JavaScript obfuscation method using invisible Unicode characters is being misused in phishing attacks aimed at affiliates of an American political action committee. The obfuscation method transforms each ASCII character in the JavaScript into binary and replaces it with invisible Hangul characters, making the code appear empty. A small bootstrap script retrieves the hidden code and reconstructs it. The attackers also use additional concealment measures such as base64 encoding and anti-debugging checks, making detection difficult.